Can IAM solutions benefit from Blockchain?

Last updated: 21 November 2017

A still-nascent technology, a Blockchain is a decentralized database, in which all participating systems (or ‘nodes’) store an identical copy of all the data. Like a chain, each block of information is inextricably linked to the previous one, forming an ever-growing chain of information blocks. The blocks on the block chain are immutable, meaning they can never be changed, making Blockchain ideal for archiving and storing information or serving as a distributed ledger.

Blockchain 101
They hype around Blockchain stems from the fact that it is a decentralized database that enables “parties who don’t fully trust each other to form and maintain consensus about the existence, status and evolution of a set of shared facts.”

This kind of data-sharing among distrustful strangers has made it possible for the most famous Blockchain, Bitcoin, to exist. The bitcoin e-currency, or crypto currency as it’s called, due to its heavy reliance on cryptography, is the first form of currency in the world that is not centrally issued and controlled by a nation-state or government.

Blockchain has been hailed for its:

Ability to archive data in a non-modifiable, non-deletable manner

Capacity to support pseudo-anonymous transactions

Freedom from a central authority thanks to its decentralized structure

What goes on the Blockchain, stays on the Blockchain
Is Blockchain the answer to the explosion of digital identities each of us has to deal with on a daily basis? The reality is that over 20 companies have already established Blockchain-based infrastructures for varying functions of the Identity and Access Management (IAM) stack. Nonetheless, the debate around this is fueled by several concerns:

It’s a database, not an access control engine – Distributed ledgers such as Blockchain are good at storing and archiving information in an immutable manner. The idea is that you have a safe, secure repository of important information such as monetary transactions, healthcare records or real estate deeds. Managing access permissions and real time contextual authorization enforcement are not activities usually performed by databases.

GDPR’s Right to Be Forgotten – Since information blocks on the Blockchain cannot be removed or modified, how can you ensure “The right to be forgotten” stipulated in the GDPR regulation for the purpose of giving EU citizens control over how their personal data is stored? One potential solution is sharing different identity attributes separately so that they cannot be linked to one another, e.g. age, name, address. It has also been suggested that attributes could be shared in a cryptographically-valid way so as to ensure that they are only visible to the party you’re transacting with.

Hashes go stale – While blocks are encrypted using cryptographic hashes, who’s to say that some years hence, those hashes will not be broken, and easily reverse engineered for the purpose of discovering information or forging it? One need only hearken back to the MD5 Hash and SHA-1 algorithms, both which were highly regarded at one time, and officially downgraded the next. Again, slicing up and anonymizing identity attributes could be used to mitigate some of the risk.

Distributed blocks of data – All participants in a private or public Blockchain hold a copy of all the blocks. And while the blocks of information are indeed encrypted or hashed, given the above scenario, is that a sufficient form of protection? On the upside, since Blockchain relies on a PKI public-private key pairs for signing blocks of information and authenticating, hardware-based key storage in the form of hardware PKI tokens and hardware security modules could be used to add an extra layer of security to private keys. Storing separate identity attributes as separate blocks could also potentially mitigate this risk.

Identity proofing and verification – Who would be responsible for confirming the validity of the identity attributes that you provide the Blockchain? For example, that you are in fact who you claim to be, and not a fraudster? To this end, government-issued digital identities, such as those covered in the EU’s eIDAS regulation, and issued by many EU governments, could come in handy, and they too rely on PKI certificate-based credentials. Adding an additional factor, e.g. behavior-based, biometric, knowledge-based or context-based authentication, could be used to enhance the level of assurance. It has also been suggested that other service providers, such as social media sites, telcos and banks could corroborate some of these attributes with information that they hold, acting as a trusted third party for the verification of certain attributes: your address, your phone number, age, etc.